Acme.sh: ECDSA to RSA but private key doesn't change ?

ok seems this works

1. issue and install ecc cert first
2. then force private key overwrite via --createDomainKey
3. issue and install rsa cert

... until you want to renew.

@heldchen ah yes that would be problematic unless i script the renewal myself with these steps instead of relying on acme.sh client for renewal

if you're going to script it rather use two separate acme.sh installations on the same server and use one for ECC and the other for RSA. but I still feel like that should be a feature within the acme.sh script (see #74)

Hi, @centminmod @heldchen

1. It is designed not to override the private key, unless you do it explicitly. Since, the private key is a very important stuff. The account private key is also designed this way.
2. Yes, I agree that it's better to support RSA and ECC certificate at the same time. But, thinking about it time and time again, I still could not find a good way to implement it. If you guys have any good idea, please tell me.
3. Here is a workaround for now:

# Issue the RSA cert.
acme.sh  --issue   -d   aa.com   -d www.aa.com  ...........


#Then  issue a  ECC cert.
acme.sh  --issue   --keylength   ec-256    -d  ecc.aa.com   -d  aa.com  -d www.aa.com   .......

If you don't like the domain ecc.aa.com , you can do it like :

acme.sh  --issue   --keylength   ec-256    -d www.aa.com    -d  aa.com   .......

Then the 2 certs will be in 2 different directories, and will be renewed automatically without any problems.

so happy that acme.sh is bash shell based as I can contribute and follow the code unlike python LOL

still working on integrating acme.sh into my centminmod.com LEMP stack install's nginx vhost generator - 1st manual attempt at dual ssl certs https://community.centminmod.com/dualsslcerts :)

the workaround with having different primary domain is nice too !

thinking of the top of my head, maybe do it this way

1. have a separate default variable option for key length = ecc-256 or ecc-384 from the default rsa = 2048 value
2. when folks issue a normal rsa cert, along with rsa primary key also generate a separate ecdsa based primary key i.e. domain.com-ecc.key but not the ecc certificate
3. if folks then want to generate a matching domain ecdsa cert, acme.sh on issuance will check first if domain.com-ecc.key exists and use that to issue the ecdsa cert instead of the rsa domain.com.key so it remains untouched and have the issued files with suffix of -ecc or in a separate subdirectory for the domain saved files

or just duplicate the --issue routines for a new flag --issue-dualcerts and have that new routine auto generate both rsa and ecc certs with additional keylength options like 2048-ecc256, 2048-ecc384, 4096-ecc256, 4096-ecc384 for rsa and ecdsa so that --issue-dualcerts saves the rsa and ecc cert files with different names and/or directories

my suggestion would be: if ecc is used, add the suffix "-ecc" to the domain directory, but keep the rest the same.

@heldchen Sounds good.

@Neilpang I am using this kind of solution but I don't think it sounds good.
My idea is use file name example.com.key for RSA keys and example.com.ecc.key for ECC keys.

addition:
fullchain.cer for RSA, fullchain.ecc.cerfor ECC.
aa.com.cer for RSA, aa.com.ecc.cer for ECC.

@wangqiliang
Fixed https://github.com/Neilpang/acme.sh/issues/74